IPS Blocking XLS Download

An XLS file download triggers the following and my M270 blocks the download:
http://www.watchguard.com/SecurityPortal/ThreatDetail.aspx?rule_id=1133223

I manage to download the file and upload it to virustotal.com and other sites. I attached it to an email and send it out. Nothing found. Could it be a false positive? How do I submit false positive detection or submit the XLS for further inspection?

Comments

  • The CVE is from 2016.

    From the NIST link:

    Current Description

    Microsoft Excel 2007 SP3, Excel for Mac 2011, Office Compatibility Pack SP3, and Excel Viewer allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability."

    MS16-133 addresses this vulnerability.
    https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-133

    If you are not using any of the above versions of Excel, or you have applied the MS fix, then this is a false positive to you.

  • I understand it is affecting Excel 2007 but why does Office version have anything to do with the block? It is either the spreadsheet (or the website?) contains malware, or clean. Is there a way to report it to Watchguard?

  • You need to understand what an IPS signature check does.
    It blindly applies whatever the signature is - to a file.
    If there is a match - then the block happens.
    The signature can not know IF your software is at risk or not. It can't know what version of any software that you have installed on your PCs, servers etc.
    It only knows what to look for in a file.

    So you should exclude this IPS signature as it does not apply to you.

    This is similar to a recall for Mazda 6 - for years 2012-2016.
    If you have a Mazda 6 for a different year, then this does not apply to you, and you can ignore it.

  • That's exactly how I understand IPS. I can't exclude it because we still have Excel 2007 although I believe it has been patched years ago.

    The sender (our client) re-send the XLS file by mail attachments (they initially sent it by a download link - we can't download it due to IPS). Our Office 365 hosted mailbox does not flag the XLS as a threat. It got delivered just fine. That's why I am confused. Why doesn't Microsoft malware scanner detects it?

  • The file is not malware.
    It just matches an IPS signature which is triggered via the download link.
    And it seems that the file does not match when attached via an e-mail, assuming that you have IPS enabled on your incoming SMTP policy.
    No idea what MS Defender etc. check for or doesn't.

    If you have PCs which did not get regular MS updates over the years (ie. unpatched Excel 2007), you may have way more issues than this one.

  • Unless you really need to get XLS format files that can contain macros, best practice would be to request the vendor send XLSX format files because XLS has been outdated since 2007. For people who don't have MS Office, they can use LibreOffice and set it to save as XLSX and DOCX by default, thereby avoiding threats from macro-containing files.

    Office 365 threat scanning comes in two levels, with APT scanning being an additional charge, so that MIGHT be the difference between WatchGuard flagging and MS not, or MS just doesn't scan for IPS threats.

    I recommend adding a mail flow rule to drop certain types of Excel files that can be malicious, such as .IQY files. I drop IQY, DOCM, PPTM, XLSM, and a bunch of other potentially hazardous types. I never need to receive emailed macro-containing files. For clients who do, I set their rules to prepend a warning about macros.

    Gregg Hill

Sign In to comment.